infra/modules/nsg/nsg

resource "azurerm_network_security_group" "nsg_apim" { name = var.nsg_apim_name location = var.location resource_group_name = var.resource_group_name # External Only security_rule { name = "allowanyhttpsinbound" priority = 100 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "443" source_address_prefix = "Internet" destination_address_prefix = "VirtualNetwork" } security_rule { name = "management-endpoint" priority = 200 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "3443" source_address_prefix = "ApiManagement" destination_address_prefix = "VirtualNetwork" } security_rule { name = "load-balancer" priority = 210 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "6390" source_address_prefix = "AzureLoadBalancer" destination_address_prefix = "VirtualNetwork" } security_rule { name = "traffic-manager" priority = 220 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "443" source_address_prefix = "AzureTrafficManager" destination_address_prefix = "VirtualNetwork" } security_rule { name = "dependency-on-storage" priority = 100 direction = "Outbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "443" source_address_prefix = "VirtualNetwork" destination_address_prefix = "Storage" } security_rule { name = "dependency-on-sql" priority = 200 direction = "Outbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "1433" source_address_prefix = "VirtualNetwork" destination_address_prefix = "SQL" } security_rule { name = "dependency-on-kv" priority = 300 direction = "Outbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "443" source_address_prefix = "VirtualNetwork" destination_address_prefix = "AzureKeyVault" } security_rule { name = "publish-diagnostcs" priority = 400 direction = "Outbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_ranges = ["1886", "443"] source_address_prefix = "VirtualNetwork" destination_address_prefix = "AzureMonitor" } } resource "azurerm_subnet_network_security_group_association" "nsg_apim_association" { subnet_id = var.apim_subnet_id network_security_group_id = azurerm_network_security_group.nsg_apim.id }

infra/modules/nsg/nsg_apim.tf (97 lines of code) (raw):